Optus appears to have left 10 million Australians’ private information so poorly guarded that breaching its safeguards could have been a case of child’s play, a leading information security expert said.
The latest news on the Optus hacking is that Australian investigators have now called on the US counterparts at the FBI to offer support.
But while the case has attracted the attention of international authorities, experts said the hacking may not have been the work of any sophisticated group.
“It could well have been an opportunistic kid,” Troy Hunt, a Microsoft regional director and the creator of the world’s leading public database of information security breaches, told The New Daily.
“Certainly, what we have seen represented as the way that Optus was breached was extraordinarily trivial and unsophisticated.
“It could have been, literally, a child or very often it’s a very young adult with a bit of time on their hands who got lucky.”
Mr Hunt is the creator of haveibeenpwned.com, a data breach database used by a number of national governments including Australia, for cyber security analysis.
His take on the hack raises major questions including whether Optus – which has styled itself as a victim – seemed almost unprepared for the possibility its information could be stolen, data we now know extends to Medicare numbers.
Optus lobbied for – and received – a relaxation of certain requirements for stress-testing its cyber defences under a 2021 reform to major service providers (Security Legislation Amendment) after arguing they were commercially onerous.
Former Optus lobbyist and former communications minister Paul Fletcher denied that the telco had been given exemptions during a review of telecommunications security laws while he was minister.
“There was an orthodox policy development process in which submissions were made by multiple companies including many telcos and their industry peak body and any suggestion there was some kind of special deal for Optus is entirely baseless,” he said.
Home Affairs and Cyber Security Minister Clare O’Neil has suggested the attack was an unsophisticated “basic hack”.
Optus claims in doubt
Even basic facts circulated by the telco last week about the hack have been put into doubt after an online account with access to stolen data – claiming to be the hacker – contested Optus’ version of events.
They said the hack spanned 11.2 million users (not the 9.8 million “worst case scenario”, chief executive Kelly Bayer Rosmarin cited) and exploited “bad access control” in an unauthenticated application programming interface (API) at Optus.
In basic terms, APIs are ways for computers to pass code between each other (such as instructions). They are often used to enable services such as Google’s weather alerts, which make use of Bureau of Meteorology data.
They are supposed to be safe because companies usually have authentication rules attached to their APIs – but Optus allegedly did not.
“What we’ve seen is there was an API where you pass a phone number and a phone number’s just … you just keep adding one and you cover them all eventually,” Mr Hunt said.
“So why was there an API [without user] authentications? That could be a programming error.”
(YouTuber Tom Scott has a useful explainer on APIs here.)
Tweet from @VicRoads
Tweet from @AnnastaciaMP
Ms O’Neil described Optus security practices as “leaving the window open” to hackers on Monday, and was even less impressed after it emerged on Tuesday that stolen data also contained Medicare numbers.
Optus had not previously told the public Medicare details were taken.
“Medicare numbers were never advised to form part of compromised information from the breach,” Ms O’Neil said on Tuesday morning.
“Consumers have a right to know exactly what individual personal information has been compromised in Optus’ communications to them.”
Optus has rebuffed repeated questions about emerging evidence this week by citing an ongoing Australian Federal Police investigation.
But it’s unclear how long Optus can dodge scrutiny, with Ms O’Neil now flagging a crackdown on telco data practices and much tougher fines.
Lawyers are also circling around what could be a sizeable class action, particularly if any more of the stolen information leaks online or is sold.
In other developments, Australians caught up in the breach will be able to change their driver’s licence numbers and get new cards, with the telco expected to bear the multi-million cost of changeover.
The NSW, Victorian, Queensland and South Australia governments on Tuesday night began clearing the bureaucratic hurdles for anyone who can prove they are victims of the hack.
“People are understandably stressed and need a pathway forward,” NSW Customer Service Minister Victor Dominello said on Twitter.
NSW will charge a $29 replacement fee, which it said will be reimbursed by Optus.
Victorians will also get “free” licence number replacements and the chance to flag their licence record in case of future fraud.
“We will request Optus repays the cost of the new licences to the Victorian government,” a spokesperson for the state’s Transport department said.
Similar arrangements are being made in other states and territories and the cost to Optus could run into the tens of millions of dollars.
Tweet from @VictorDominello
Australian privacy at risk
However, underneath the mammoth public relations battle going on in the halls of Parliament and Optus’ Macquarie Park office in Sydney are much deeper questions about the privacy of Australian personal data.
Mr Hunt said the public should be asking why Optus was holding so much data in the first place.
The telco has previously said it is required to keep identity records on customers for up to six years under Australian data retention laws.
“Why did they need all this identity data in the first place, if not for the initial identity verification then to retain it in the long term?” Mr Hunt said.
“And particularly to retain it for customers who are not even customers any more?
“Is this actually a good idea for the industry to have to retain this sort of information and Medicare data is in there as well,” he said.
“You cannot lose what you do not have. And I think the biggest question of all to ask after this is: Do we really want any party to have this data for what seems to be perpetuity?”